Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: pu
A security update deemed not serious enough for a DSA, as discussed at <http://bugs.debian.org/695224>. The security has requested this be fixed in stable. The attached patch does so; please may I upload? Thanks, Dominic.
diff --git a/debian/changelog b/debian/changelog index bc6d714..1f28a9b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +perl (5.10.1-17squeeze5) stable; urgency=low + + * [SECURITY] CVE-2012-6329: Fix misparsing of maketext strings which + could allow arbitrary code execution from untrusted maketext templates + (Closes: #695224) + + -- Dominic Hargreaves <d...@earth.li> Sat, 16 Feb 2013 19:00:31 +0000 + perl (5.10.1-17squeeze4) stable-security; urgency=low * [SECURITY] CVE-2012-5195: fix a heap buffer overrun with diff --git a/debian/patches/fixes/maketext-code-execution.diff b/debian/patches/fixes/maketext-code-execution.diff new file mode 100644 index 0000000..2d09ad7 --- /dev/null +++ b/debian/patches/fixes/maketext-code-execution.diff @@ -0,0 +1,66 @@ +From: Brian Carlson <brian.carl...@cpanel.net> +Subject: Fix misparsing of maketext strings. + +Case 61251: This commit fixes a misparse of maketext strings that could +lead to arbitrary code execution. Basically, maketext was compiling +bracket notation into functions, but neglected to escape backslashes +inside the content or die on fully-qualified method names when +generating the code. This change escapes all such backslashes and dies +when a method name with a colon or apostrophe is specified. + +Backported to 5.10.1 by Dominic Hargreaves. + +Bug-Debian: http://bugs.debian.org/695224 +Origin: http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8 +Patch-Name: fixes/maketext-code-execution.diff + +diff --git a/lib/Locale/Maketext/Guts.pm b/lib/Locale/Maketext/Guts.pm +index 9af292c..0a3bacf 100644 +--- a/lib/Locale/Maketext/Guts.pm ++++ b/lib/Locale/Maketext/Guts.pm +@@ -140,21 +140,9 @@ sub _compile { + # 0-length method name means to just interpolate: + push @code, ' ('; + } +- elsif($m =~ /^\w+(?:\:\:\w+)*$/s +- and $m !~ m/(?:^|\:)\d/s +- # exclude starting a (sub)package or symbol with a digit ++ elsif($m =~ /^\w+$/s ++ # exclude anything fancy, especially fully-qualified module names + ) { +- # Yes, it even supports the demented (and undocumented?) +- # $obj->Foo::bar(...) syntax. +- $target->_die_pointing( +- $_[1], q{Can't use "SUPER::" in a bracket-group method}, +- 2 + length($c[-1]) +- ) +- if $m =~ m/^SUPER::/s; +- # Because for SUPER:: to work, we'd have to compile this into +- # the right package, and that seems just not worth the bother, +- # unless someone convinces me otherwise. +- + push @code, ' $_[0]->' . $m . '('; + } + else { +@@ -208,7 +196,9 @@ sub _compile { + elsif(substr($1,0,1) ne '~') { + # it's stuff not containing "~" or "[" or "]" + # i.e., a literal blob +- $c[-1] .= $1; ++ my $text = $1; ++ $text =~ s/\\/\\\\/g; ++ $c[-1] .= $text; + + } + elsif($1 eq '~~') { # "~~" +@@ -246,7 +236,9 @@ sub _compile { + else { + # It's a "~X" where X is not a special character. + # Consider it a literal ~ and X. +- $c[-1] .= $1; ++ my $text = $1; ++ $text =~ s/\\/\\\\/g; ++ $c[-1] .= $text; + } + } + } diff --git a/debian/patches/patchlevel b/debian/patches/patchlevel index 2a998f0..aab8c52 100644 --- a/debian/patches/patchlevel +++ b/debian/patches/patchlevel @@ -1,4 +1,4 @@ -Subject: List packaged patches for 5.10.1-17squeeze4 in patchlevel.h +Subject: List packaged patches for 5.10.1-17squeeze5 in patchlevel.h Origin: vendor Bug-Debian: http://bugs.debian.org/567489 @@ -8,7 +8,7 @@ The list can be refreshed from information in debian/patches by running --- perl/patchlevel.bak +++ perl/patchlevel.h -@@ -133,0 +134,59 @@ +@@ -133,0 +134,60 @@ + ,"DEBPKG:debian/arm_thread_stress_timeout - http://bugs.debian.org/501970 Raise the timeout of ext/threads/shared/t/stress.t to accommodate slower build hosts" + ,"DEBPKG:debian/cpan_config_path - Set location of CPAN::Config to /etc/perl as /usr may not be writable." + ,"DEBPKG:debian/cpan_definstalldirs - Provide a sensible INSTALLDIRS default for modules installed from CPAN." @@ -67,4 +67,5 @@ The list can be refreshed from information in debian/patches by running + ,"DEBPKG:fixes/CVE-2012-5195 - avoid calling memset with a negative count" + ,"DEBPKG:fixes/CVE-2012-5526 - [PATCH 1/4] CR escaping for P3P header" + ,"DEBPKG:fixes/storable-security-warning - [PATCH] add a note about security concerns in Storable" -+ ,"DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.10.1-17squeeze4 in patchlevel.h" ++ ,"DEBPKG:fixes/maketext-code-execution - Fix misparsing of maketext strings." ++ ,"DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.10.1-17squeeze5 in patchlevel.h" diff --git a/debian/patches/series b/debian/patches/series index 6eb1224..3a6f2e2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -56,4 +56,5 @@ fixes/unregister_signal_handler.diff fixes/CVE-2012-5195.diff fixes/CVE-2012-5526.diff fixes/storable-security-warning.diff +fixes/maketext-code-execution.diff patchlevel -p1 diff --git a/lib/Locale/Maketext/Guts.pm b/lib/Locale/Maketext/Guts.pm index 9af292c..0a3bacf 100644 --- a/lib/Locale/Maketext/Guts.pm +++ b/lib/Locale/Maketext/Guts.pm @@ -140,21 +140,9 @@ sub _compile { # 0-length method name means to just interpolate: push @code, ' ('; } - elsif($m =~ /^\w+(?:\:\:\w+)*$/s - and $m !~ m/(?:^|\:)\d/s - # exclude starting a (sub)package or symbol with a digit + elsif($m =~ /^\w+$/s + # exclude anything fancy, especially fully-qualified module names ) { - # Yes, it even supports the demented (and undocumented?) - # $obj->Foo::bar(...) syntax. - $target->_die_pointing( - $_[1], q{Can't use "SUPER::" in a bracket-group method}, - 2 + length($c[-1]) - ) - if $m =~ m/^SUPER::/s; - # Because for SUPER:: to work, we'd have to compile this into - # the right package, and that seems just not worth the bother, - # unless someone convinces me otherwise. - push @code, ' $_[0]->' . $m . '('; } else { @@ -208,7 +196,9 @@ sub _compile { elsif(substr($1,0,1) ne '~') { # it's stuff not containing "~" or "[" or "]" # i.e., a literal blob - $c[-1] .= $1; + my $text = $1; + $text =~ s/\\/\\\\/g; + $c[-1] .= $text; } elsif($1 eq '~~') { # "~~" @@ -246,7 +236,9 @@ sub _compile { else { # It's a "~X" where X is not a special character. # Consider it a literal ~ and X. - $c[-1] .= $1; + my $text = $1; + $text =~ s/\\/\\\\/g; + $c[-1] .= $text; } } } diff --git a/patchlevel.h b/patchlevel.h index 1842b95..fbecc7c 100644 --- a/patchlevel.h +++ b/patchlevel.h @@ -189,7 +189,8 @@ static const char * const local_patches[] = { ,"DEBPKG:fixes/CVE-2012-5195 - avoid calling memset with a negative count" ,"DEBPKG:fixes/CVE-2012-5526 - [PATCH 1/4] CR escaping for P3P header" ,"DEBPKG:fixes/storable-security-warning - [PATCH] add a note about security concerns in Storable" - ,"DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.10.1-17squeeze4 in patchlevel.h" + ,"DEBPKG:fixes/maketext-code-execution - Fix misparsing of maketext strings." + ,"DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.10.1-17squeeze5 in patchlevel.h" ,NULL };
